initial commit

.gitattributes

@@ -0,0 +1 @@
+*.service	linguist-language=systemd

.yamllint

@@ -0,0 +1,12 @@
+---
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
+  - '.yamllint'
+
+rules:
+  line-length:
+    level: warning
+
+# vim: ft=yaml bs=2 ts=2
+...

LICENSE

@@ -0,0 +1,14 @@
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+Version 2, December 2004
+
+Copyright (C) 2022 dotya.ml authors
+
+Everyone is permitted to copy and distribute verbatim or modified copies of
+this license document, and changing it is allowed as long as the name is changed.
+
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+   0. You just DO WHAT THE FUCK YOU WANT TO.

README.md

@@ -0,0 +1,9 @@
+# [searxng](https://git.dotya.ml/dotya.ml/searxng)
+
+this repo holds configs of [dotya.ml's SearxNG instance](https://searxng.dotya.ml/).
+
+see what engines are configured in the ENGINES tab of
+[preferences](https://searxng.dotya.ml/searxng/preferences).
+
+### LICENSE
+WTFPLv2, see [LICENSE](LICENSE) for details

etc/searxng/docker-compose.yml

@@ -0,0 +1,59 @@
+---
+version: '3.7'
+
+services:
+  redis:
+    image: docker.io/library/redis:alpine
+    restart: always
+    labels: [traefik.enable=false]
+    command: redis-server --save "" --appendonly "no"
+    networks:
+      - searxng
+    # tmpfs:
+      # - /var/lib/redis
+    volumes:
+      - /var/lib/searxng/redis:/var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+
+  searxng:
+    image: docker.io/searxng/searxng:2022.08.19-6f28a69f
+    restart: always
+    labels: [traefik.enable=false]
+    networks:
+      - searxng
+    ports:
+      - 127.0.0.1:8480:8080
+    volumes:
+      - /etc/searxng/searxng:/etc/searxng:rw
+    env_file:
+      - /etc/searxng/searxng.env
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+    healthcheck:
+      # DON'T
+      # test:i "/usr/bin/wget -q -Y off http://localhost:8080/about -O /dev/null > /dev/null 2>&1"
+      # DO:
+      test: "/usr/bin/wget -q -Y off http://localhost:8080/about -O /dev/null 2>&-"
+      interval: 10s
+      retries: 20
+
+networks:
+  searxng:
+    ipam:
+      driver: default
+...

etc/searxng/searxng.env

@@ -0,0 +1,3 @@
+SEARXNG_HOSTNAME=https://searxng.dotya.ml
+BASE_URL=https://searxng.dotya.ml/
+INSTANCE_NAME="dotya.ml's SearXNG"

etc/searxng/searxng/settings.yml

@@ -0,0 +1,171 @@
+---
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+
+general:
+  debug: false
+  instance_name: "dotya.ml's SearXNG"
+  # keep stats on what engines are being used and their performance.
+  enable_metrics: true
+  contact_url: https://dotya.ml/contact/
+
+search:
+  safe_search: 0
+  autocomplete: 'google'
+  autocomplete_min: 2
+  formats:
+    - html
+    - csv
+    - json
+    - rss
+
+server:
+  base_url: https://searxng.dotya.ml/
+  method: "GET"
+  http_protocol_version: "1.1"
+  default_http_headers:
+    X-Content-Type-Options: nosniff
+    X-XSS-Protection: 1; mode=block
+    X-Download-Options: noopen
+    X-Robots-Tag: noindex, nofollow
+    Referrer-Policy: no-referrer, strict-origin-when-cross-origin
+  secret_key: "secretplsofcourseichangedit"
+  limiter: true  # can be disabled for a private instance, blocks some bots
+  image_proxy: true
+
+brand:
+  issue_url: https://git.dotya.ml/dotya.ml/searxng/issues
+
+ui:
+  static_use_hash: true
+  results_on_new_tab: true
+  infinite_scroll: false
+  query_in_title: false
+  default_theme: simple
+  theme_args:
+    simple_style: dark
+
+preferences:
+  lock:
+    - method
+    - query_in_title
+
+redis:
+  url: redis://redis:6379/0
+
+outgoing:
+  enable_http2: true
+  # default timeout in seconds, can be overriden by engine
+  request_timeout: 1.0
+  max_request_timeout: 2.5   # the maximum timeout in seconds
+  useragent_suffix: ""
+  # Maximum number of allowable connections, or null for no limits.
+  # The default is 100.
+  pool_connections: 1024
+  # Number of allowable keep-alive connections, or null to always allow.
+  # The default is 10.
+  pool_maxsize: 64
+
+engines:
+  - name: google
+    use_mobile_ui: true
+    shortcut: g
+  - name: google sk
+    engine: google
+    use_mobile_ui: true
+    language: sk
+    shortcut: gsk
+    disabled: true
+  - name: google de
+    engine: google
+    use_mobile_ui: true
+    language: de
+    shortcut: gde
+    disabled: true
+  - name: arch linux wiki
+    engine: archlinux
+    shortcut: aw
+  - name: fdroid
+    disabled: false
+  - name: ddg definitions
+    disabled: false
+  - name: lingva
+    disabled: false
+  - name: lib.rs
+    disabled: false
+  - name: sourcehut
+    disabled: false
+  - name: github
+    disabled: false
+  - name: codeberg
+    disabled: false
+  - name: lobste.rs
+    disabled: false
+  - name: stackoverflow
+    engine: stackoverflow
+    shortcut: so
+  - name: searchcode code
+    disabled: false
+  - name: tineye
+    timeout: 4.0
+  - name: soundcloud
+    timeout: 3.0
+  - name: youtube
+    timeout: 3.0
+  - name: bandcamp
+    timeout: 3.0
+  - name: google news
+    timeout: 3.0
+  # disabled
+  - name: brave
+    disabled: true
+  # needs a token
+  - name: deviantart
+    disabled: true
+  - name: artic
+    disabled: true
+  - name: mymemory translated
+    disabled: true
+  - name: wordnik
+    disabled: true
+  - name: btdigg
+    disabled: true
+  - name: solidtorrents
+    disabled: true
+  - name: vimeo
+    disabled: true
+  - name: google videos
+    disabled: true
+  - name: openairedatasets
+    disabled: true
+  - name: openairepublications
+    disabled: true
+  - name: library of congress
+    disabled: true
+  - name: dictzone
+    disabled: true
+  - name: genius
+    disabled: true
+
+categories_as_tabs:
+  general:
+  images:
+  videos:
+  news:
+  map:
+  music:
+  it:
+  science:
+  files:
+  social media:
+
+enabled_plugins:
+  - 'Hash plugin'
+  - 'Search on category select'
+  - 'Self Informations'
+  - 'Tracker URL remover'
+  - 'Ahmia blacklist'
+  - 'Infinite scroll'
+  - 'Results on new tabs'
+  - 'Open Access DOI rewrite'
+  - 'Vim-like hotkeys'

etc/searxng/searxng/uwsgi.ini

@@ -0,0 +1,49 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+# expires set to one year since there are hashes
+static-map = /static=/usr/local/searxng/searx/static
+static-expires = /* 31557600
+static-gzip-all = True
+offload-threads = %k
+
+# Cache
+cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1

etc/systemd/system/searxng.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=SearXNG service
+Requires=docker.service nginx.service
+Upholds=docker.service nginx.service
+After=docker.service nginx.service
+
+[Service]
+Restart=on-failure
+
+Environment=SEARXNG_DOCKERCOMPOSEFILE=/etc/searxng/docker-compose.yml
+
+; WorkingDirectory=/var/lib/searxng
+WorkingDirectory=/etc/searxng/searxng
+Restart=always
+RestartSec=7
+ExecStartPre=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} down
+ExecStart=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} up --remove-orphans
+ExecStop=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} down
+
+SystemCallFilter=~memfd_create @reboot @swap @cpu-emulation @debug @module @clock @raw-io @obsolete
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHome=true
+; RestrictNamespaces=uts ipc pid user cgroup
+RestrictNamespaces=true
+NoNewPrivileges=true
+#SecureBits=noroot-locked
+ProtectSystem=strict
+PrivateTmp=true
+DevicePolicy=closed
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target